Test rules:
wxs@wxs-mbp yara % cat rules/test.yara
rule b {
strings:
$a = "LSCOLORS"
condition:
$a
}
rule a {
strings:
$a = "FreeBSD"
condition:
$a
}
wxs@wxs-mbp yara %
awk script to produce one line per file. The first field is the filename and the second field is the comma separated list of matched rules. The rules are not sorted but they are consistently ordered. That is, YARA will output rules in a consistent order, which is the order in which they appear in the file.
wxs@wxs-mbp yara % cat french.awk
#!/usr/bin/awk -f
{
if ($2 in files) {
files[$2 ] = files[$2] "," $1
} else {
files[$2] = $1
}
}
END {
for (file in files) {
print sprintf("%-30s", file) files[file]
}
}
wxs@wxs-mbp yara %
And here's the output over /bin on my laptop:
wxs@wxs-mbp yara % yara rules/test.yara /bin | ./french.awk
/bin/hostname a
/bin/unlink a
/bin/tcsh b
/bin/date a
/bin/echo a
/bin/pwd a
/bin/mkdir a
/bin/cp a
/bin/sleep a
/bin/ed a
/bin/ps a
/bin/[ a
/bin/rm a
/bin/mv a
/bin/dd a
/bin/df a
/bin/ln a
/bin/test a
/bin/kill a
/bin/link a
/bin/ls b,a
/bin/csh b
/bin/rmdir a
/bin/chmod a
/bin/stty a
/bin/cat a
wxs@wxs-mbp yara %